Bluetooth insecurity — an older story than I thought

While putting together the Footnotes for my column in today’s Observer, I suddenly remembered that Bruce Schneier had queried the security of Bluetooth way back in 2000 — when the technology was still mostly a gleam in a consortium’s eye. Here’s what he said then:

“Bluetooth is … an eavesdropper’s dream. Eavesdrop from up to 300 feet away with normal equipment, and probably a lot further if you try. Eavesdrop on the CRT and a lot more. Listen as a computer communicates with a scanner, printer, or wireless LAN. Listen as a keyboard communicates with a computer. (Whose password do you want to capture today?) Is anyone developing a Bluetooth-enabled smart card reader?

What amazes me is the dearth of information about the security of this protocol. I’m sure someone has thought about it, a team designed some security into Bluetooth, and that those designers believe it to be secure. But has anyone reputable examined the protocol? Is the implementation known to be correct? Are there any programming errors? If Bluetooth is secure, it will be the first time ever that a major protocol has been released without any security flaws. I’m not optimistic.

And what about privacy? Bluetooth devices regularly broadcast a unique ID. Can that be used to track someone’s movements?

The stampede towards Bluetooth continues unawares. Expect all sorts of vulnerabilities, patches, workarounds, spin control, and the like. And treat Bluetooth as a broadcast protocol, because that’s what it is.”

Going phishing

From today’s Guardian:

As scams go, the email was hardly sophisticated. “Hello dear client Barclays Bank,” it warned recipients. “Today our system of safety at night has been cracked!!! It not a joke!!! It is the truth!!! We ask you, in order to prevent problems, to repeat registration of your data. Make it very quickly! Administration Barclays Bank.”

But new research reveals the scale of a fraud which has already cost British banks hundreds of thousand of pounds after customers have been fooled by these apparently crude messages into divulging their online banking passwords to organised criminals.

The survey by the email security consultants MessageLabs will make grim reading for the online banking industry, which now boasts 11 million users. The scams, which first hit Britain last August, may range from the inept to the highly complex but they are starting to hurt.

“Phishing scams are pretty sophisticated, it’s high level social engineering,” said Mark Sunner, chief technical officer at MessageLabs. “They must be working because we are seeing so much of it. All the major banks are saying it’s a problem. Initially they were worried about loss of reputation, now it’s loss of money.”

We need psychiatrists here, folks. For this kind of ‘social engineering’ (nice Orwellian phrase, that) to work, people have to be extraordinarily stupid. Yet they are. That’s also why virus writers increasingly rely on gullible users to open rogue attachments as a way of disseminating malicious code. Why do people fall for this?

Moreover…I first came across the term ‘social engineering’ in Karl Popper’s writings — especially The Open Society and its Enemies. He was attacking ideologies requiring wholesale political reconstruction of society (what he called “utopian social engineering”) because they led inevitably to tyranny and totalitarianism. An open society, in contrast, would be based on step-by-step reform (“piecemeal social engineering”), in which every step could be critically examined and corrected. Seems such a far cry from phishing expeditions.

Bluetooth, schmootooth

I once had a Bluetooth phone — a Sony-Ericsson T68i which I got because my geek friends told me it was the only one that worked with Mac OSX.

Well, it kind-of worked, but was fantastically erratic and unreliable. T-mobile replaced the phone twice, but it got to the point where I couldn’t ever depend on it. And if your mobile is your main phone (as mine is) then that’s just not on. So one day last January I dumped it and went out and bought a cheapo, no-frills Nokia which has worked faultlessly ever since.

My main complaint was with the manufacturer, not the technology. Bluetooth seemed to me to be a good idea in principle. It meant, for example, that I could use the phone (when it worked) to drive presentations on my laptop. And I hate wires, so anything that reduced wiring seemed, a priori, to be A Good Thing.

That was before Adam Laurie went to work on it. He’s the Chief Security Officer at a British company, AL Digital. “Before we deploy any new technology for clients or our own staff”, he told C-Net, “one of my duties is to investigate that technology and ensure it is secure–actually rolling your sleeves up and looking at it, not just taking the manufacturers’ claims at face value. When I did that, I found that it is not secure,” he said.

Laurie found that phones are vulnerable to “bluesnarfing,” in which an attacker exploits a flaw to read, modify and copy a phone’s address book and calendar without leaving any trace of the intrusion. The flaw affects a number of Sony Ericsson, Ericsson and Nokia handsets (including my benighted T68i), but some models–including a handful of Nokia phones–are at greater risk because they invite attack even when in “invisible mode” — i.e. when they are supposed not to be broadcasting their presence. For the grisly details, see the web page he has prepared.

On Wednesday last (April 14) the London Times carried an interesting article by Steve Boggan, who went out on the streets with Adam Laurie and found that Bluesnarfing was indeed as easy as Laurie had claimed. It was also intriguing to see the differences between the two main companies affected. Sony-Ericsson put up a feeble spokesbot who first tried to downplay the problem. Nokia, in contrast, were more forthcoming. When quizzed by C-Net, they acknowledged that some of their phones were vulnerable, but claimed that an attack was only possible if the Bluetooth was in ‘visible’ mode. (Wrong, according to Laurie, for some models.) The Nokia spokesman also volunteered some extraordinary news:

If an attacker had physical access to a 7650 model, a bluesnarf attack would not only be possible, but it would also allow the attacker’s Bluetooth device to “read the data on the attacked device and also send SMS messages and browse the Web via it.”

What does all this mean? Well, it’s worrying, simply because mobile phones are becoming the repository for increasing amounts of personal data. If they are not secure, then there is massive scope for mischief. And the riposte that “one can always switch Bluetooth off” is not as reassuring today as it was a few months ago. The UK law which makes it a criminal offence to use a handheld mobile while driving has led to a massive increase in the use of Bluetooth headsets — which of course require that Bluetooth be switched on!

Photoshopping

If all else fails, incompetent photography can be rescued by Adobe. This picture of the view from the top of the Conor Pass comes from a photograph which didn’t hack it as a straight pic (it was too anaemic, somehow). I expect I didn’t think hard enough about exposure times in the freezing wind up there. But running through a Photoshop filter has made it look more interesting. That beach you can see in the distance is a great place for junior surfers BTW — as the kids will testify.

Postcard humour

The kids and I went to Dingle for the day (we were in Kerry for a short Easter break). Walking down a side-street we saw this:

One of the boys said “That’s a postcard shot, Dad!”. A few minutes later we looked in a shop selling postcards, and sure enough, there was a photograph of a small white dog waiting patiently for his owner. The only difference was that the mutt was outside a pub!

The beauty of idleness…

… is that you have time to take photographs like this!

Taken in Adams’s in Dingle yesterday.

Why mobile phones are annoying

Andrew Monk and colleagues from the University of York have performed a study to assess why it’s so annoying when other people have cellphone conversations in public.

“The researchers staged one-minute conversations in front of unsuspecting commuters who were either riding a train or waiting for a bus. In half the cases, two actors conversed face-to-face while seated next to a potential test participant. In the other half, a single actor talked on a mobile phone while seated next to a potential participant.

Furthermore, the actors conducted half of the conversations at a normal loudness level, whereas the other half were exaggeratedly loud (as measured on a volume meter). The actual content and duration of the conversations were the same in all conditions.

After each test conversation, researchers approached the bystanders and asked them to complete a small survey about the conversation. In other words, while the conversation was taking place, the participants didn’t know that they were part of an experiment, but rather assumed that the conversation was the normal behavior of one or two other commuters.”

[Summary of results from Jakob Nielsen’s newsletter.]

At last, something to do when you’re stuck on the M25

Log onto the Net using WiFi and do your email. How? Well, according to this report,

“The U.K. government is planning to upgrade its roadside telematics system with a wireless network designed to blanket the country with low-cost wireless Internet access.

At this week’s Wireless LAN Event here, a small Exeter-based company called Last Mile Communications (a trading name of five-year-old TIVIS Ltd.) launched the patented technology the government is eyeing for its massive roadside infrastructure upgrade. Under Last Mile’s scheme, contractors would install about 150,000 inexpensive wireless broadband transceivers in such equipment as street lights and traffic lights, which will run off available power or even solar energy.

These units will self-configure into a network capable of passing signals from one node to another until it reaches an Internet uplink, a technique known as multi-hop or mesh networking. Anyone within about 250 meters (about 820 feet) of a node will be able to access a wireless connection of 40M bps to 400M bps, although the connection will probably initially be made using standards such as Wi-Fi or WiMax, which are considerably slower. A typical consumer broadband connection runs at about half a megabit per second.

The network is designed to connect to the broader Internet via any sort of uplink, including a standard T1 line or satellite broadband connection, the company said.

If Last Mile’s scheme is successful, it would make wireless dramatically more prevalent than it is now, with Wi-Fi hot spots currently limited to places such as airports, coffee shops and convention centers. It could also be a solution to the problems carriers have faced in bringing high-speed Internet access to remote areas that aren’t serviced by cable broadband or DSL.”

Listen to this year’s Reith Lectures on your iPod

Just seen on Dan Hill’s CityofSound Blog that this year’s BBC Reith Lectures will be available in MP3 format as a free download — and with no hidden DRM either. Great stuff! It’s why I am happy to pay my licence fee. Public service broadcasting creating high-class material for the public domain.

Another reason why P2P technology is important…

…is that it provides a way to bypass the kind of governmental censorship and mass-media myopia which is becoming increasingly common on the Net. Useful BBC Online article summarising Ross Anderson’s views on this.